During my first SANS experience last week, I also opted to participate in NetWars Core the nights of Day 4 and Day 5. This was also my first NetWars experience, and I came in having pretty low goals, since I didn’t really know what this was all about. I basically wanted to see the top 10 leaderboard for first timers and unlock Level 3 by the end of the event. Turns out, I unlocked Level 4, held onto overall first for several hours, and finished in 2nd place amongst the individuals (and 6th overall), earning me a NetWars coin and invite to the Tournament of Champions in December!

For those unfamiliar, NetWars Core is a two-day event held on site for 3 hours both nights. You show up with a laptop in hand and get handed a USB stick. On the USB stick are some supporting documents and a virtual machine image to load up. Once loaded up and signed into the event, the countdown begins! Once started, the event website allows access to a battery of questions whose answers are found either in the supporting documents or on the VM itself. These questions cover a wide variety of information security topics, from linux and windows systems administration commands, technical trivia, analyzing forensic evidence, examining network traffic, decoding hidden messages, and reversing malware. There are things for defenders and attackers alike.

Upon arriving, I was given the event USB stick, an instructional piece of paper, and 2 drink tickets good for free drinks from the open bar in back. The tickets certainly beat paying up to $12 for a glass of wine! And as each night moves on, you can get more tickets from the minders handing them out. The dimly lit room itself slowly filled up with fellow geeks, the glow of laptop monitors, and the swell of some light techno music from the speakers up front.

The desks all have power provided and a wired switch for use if one does not want to trust the wireless network, which itself was solid the entire event. The instruction sheet gave details on signing up for an account at CounterHack and the username and password for the Virtual Machine. A web-based VM could be connected to from the CounterHack site (with added latency, of course), or one could just use the VM included on the USB stick.

The USB stick included the event VM and some additional files. Before the event truly started, I copied all of the files to my local Windows system and fired up the VM in VM Workstation 14 Pro (trial). It converted and fired up without issue, and default networking settings allowed it access out to the Internet (needed) through my host laptop. I rebooted it and gave it some more RAM for good measure.

After waiting around a bit, the event kicked off! I started out super slowly as I acclimated myself again to the Linux VM, sheepishly Googling up some commands that I should have known, and otherwise having some issues getting into a groove. But eventually I did hit a groove.

Level 1 and Level 2 are basically traditional Jeopardy-style CTF questions. You are asked something about a file or command or binary or whatever, and you work to provide the answer. Sometimes it just means running a few commands, sometimes it means doing some forensics or attacks on various artifacts. Each question has points assigned to them. The more questions you answer, the more points you get, and the more questions open up below those. The first incorrect answer on all questions didn’t cost anything, but subsequent tries would cost more and more points (up to a certain amount).

Most questions have hints you can unlock. These hints do not cost any points, and you can unlock as many or as few as you want. The only role they play is as a tiebreaker in the unlikely event of a tie in points. The hints themselves range from terms you can Google all the way up to actually giving you the command(s) to run to find the answer. This hint system makes the early parts of the event very accessible to anyone with even passing Linux experience.

After hitting a groove and getting a feel for the questions and VM, I appeared on the top 10 leaderboard, and for the rest of the 3 hours on Day 1 I skipped up and down with my fellow geeks from about 10th place up to a peak of 3rd place or so for brief moments. Early on, one team surged very far into the lead, and the admins of the event sought them out. Within a few minutes, their team was removed from the boards. Turns out they had some veterans on the team, and to avoid discouraging other teams, the admins “ghosted” their score off the board.

The scoreboards are broken down into a top 10 list of individuals and a top 10 list of teams. I believe teams can be 5 or less members. In other events, I think veterans and first-timers are also separated out, but for this event, we were all put into the same boards (they gave a reason why, but I didn’t follow it).

At the end of Day 1, I was firmly into Level 2 with 100 points, and sitting at 8th place on the boards. The first place individual had 146 points and the highest team (visible) had 155 points. I retired to my room, but spent the next 3-4 hours working on various questions that I hadn’t gotten to. I think the small break I took to get to my room and settle in really helped, as I hit a stride over those few hours and solved quite a few puzzles and staged up the answers for Day 2. While the game system itself is closed overnight, as long as you keep the question window up and have any hints you want opened up, you can still see and work on the questions on the local VM. This is true for Level 1 and Level 2, but not for subsequent levels.

Day 2
As Day 2 started, I had a flurry of points submitted in the first 60 minutes, and I actually surged into first place overall with 241 points and 2.5 hours remaining. At this point, I hit a wall. Over the next 1.5 hours, I held onto my lead with 269 points, but others were slowly closing in as I stalled out.

Eventually, at level 3 you can attack and attempt to infiltrate remote systems and networks as an attacker. and from there begin attacking other systems in that DMZ network and answer questions on a separate scoreboard. I was rusty with this, as my day job does not involve attacking systems. The Level 3 hints also became time sucks, with some seriously deep trivia that required heavy Googling and searching. Would help immensely to have a wingman doing just those items! Level 4 involves even deeper access. Ultimately, level 5 is reached and at that point those contestants have to defend their servers and services against others at level 5, while attempting to attack the others and earn points through uptimes.

I spent the next hour watching as a rival passed me up for first place, and the teams jostled for their positions. With 30 minutes left, the admins replaced the scoreboard with a countdown clock. After time ran out, winners were announced and I found out that no one else managed to pass me for second place. I finished with 275 points, with first place sitting at 297. The ghosted team of veterans finished with the top score of 370, but the admins also awarded prizes for the next team, which had 301 points; only 6 points ahead of their next rival!

Honestly, had I tackled this event last year, fresh off my OSCP certification, I realistically would have expected at least another 40 points or so. I had lots of time left, and not much comfort level with the attacks I needed to perform at the later stages.

Overall
I had an absolute blast with this event and the question formats. I’m looking forward to doing another one of these, or also trying out the DFIR and Defense ones as well.

Tips from a First-Timer
Spend Day 1 trying to unlock everything you can, including hints. You want to get as far into the levels as possible, with the ultimate goal of getting into the Level 3 and Level 4 stages.

Try to make sure you get the question finished that yields root access to the local VM. This is important in order to progress further.

With Level 3 unlocked, start attacking it right away. Again, it’s more about getting as far as possible, rather than clearing each level completely. The points-per-question trend a little bit upwards as you go.

One could conceivably unlock level 4 without doing much at level 3. Just from my perspective, I think getting dug into level 3 is more important.

The night between the days can be spent researching Level 3+ strategies, but also backfilling Level 1/2 questions and researching Level 3 hints.

Day 2 should be spent trying to open up Level 5 by performing successful attacks and eventual pivoting into internal networks.

For some added drama, the admins turn off the scoreboard for the final 30 minutes. If you’re feeling brave, feel free to bank some points to score during this time. This would be an excellent moment to finish submitting any level 1 and level 2 answers that weren’t needed to open up the higher levels. Of course, the downside might be encountering technical issues that prevent more scores from being posted, so do so at your own peril!

I strongly suggest writing down and saving out answers to a text file in the crazy event the VM crashes or becomes unstable. Near the end of Day 2, my VM’s xfce often became unresponsive, and I wasn’t in a position where I wanted to reboot it fully. I probably lost a good 30 minutes of productivity this way.

Lastly, have fun. Use those drink tickets if you are so inclined, and enjoy!

This past week I attended my first SANS event, SANS West in San Diego. I took the FOR508 course, Advanced Digital Forensics, Incident Response, and Threat Hunting with Eric Zimmerman. Overall, the course and SANS experience was excellent, and I hope to do it again next year!

I chose this course as forensics and incident response at this depth isn’t something I’ve heavily done. I’ve looked into malware incidents and done Windows admin troubleshooting for years, but this course takes things to another level with being able to dissect memory and disk images to find badness. My goal is to continue being well-rounded. I can attack systems, perform forensics on the attacks, inform my defenses to improve them, and complete the loop by doing better attacks. This course helped directly improve one of those areas.

I’ve also never had the opportunity to take training like SANS. There’s a whole list of courses I’d like to take and not nearly enough time to do them all, so I wanted to aim high and make sure I had plenty to learn for the experience. I think I was right on with my pick!

This course turned out wonderfully for me. Days 1 through 4 were spent looking for artifacts in Windows disk images and memory dumps using the SIFT Workstation. I knew enough through years of Windows admin troubleshooting to immediately grasp about 60% of it, and the remaining 40% was very accessible for me. On Day 3 in particular I learned some nuances I didn’t know before, like the shimcache and prefetch files and how to use powerful automated tools to make the work easier. Honestly, I can’t imagine the tedious work to find artifacts in gigs of data before these automated tools were around!

Day 5 went super dense and into relatively new territory for me, by diving into the deep end with NTFS forensics. Definitely the hardest day for me, and considering the long stares by just about everyone in the class, I wasn’t alone in this!

Day 6 involved a day-long capstone event where we broke into groups and did a blitz investigation of an incident. This was pretty fun, even though my group didn’t get a coin, but I feel like I learned a lot more by being able to not only put tools to work, but to also find many of the actual correct answers from the incident. It certainly helps the confidence level!

I also really love the process of forensics. It’s not about following a list of commands or a rigid sequence to find answers. It’s about running all sorts of things to find artifacts, and then stitch together a picture through fact and through some gut feels on what happened. You run 10 commands, put some things together, and maybe even go back and run some of the commands again, but with better information like specific times or location to do a deeper dive. Each piece of the puzzle found allows the investigator to look at every other piece of evidence with new light. I also learned the benefit of good corporate baselining and having the capability to pull full disk and memory images. This is a big deal for success with forensics capabilities.

What’s next?
First, I have plenty of studying and practice to tackle before the GCFA certification exam. After that, I can start planning my course next year, with the front-runner being SEC 542/GWAPT. Yes, this is an offensive cert, but it’s compelling right now to do something red team and shore up what I feel I’m weaker with: web app testing. If this training cycle continues, I’d like to alternate defense and offense each year.

Any lessons learned?
I hesitated bringing a second, portable laptop monitor. But there were several in class who had space at their spot for it. Considering my laptop of choice already has smaller resolution compared to current systems, I would have brought the second monitor if I did it again. Worst case, we’re packed into our seats and I don’t have room during the days, but I could still use it for NetWars or working in the hotel room.

That said, I wouldn’t mind a slightly more modern laptop, just from a resolution/screen real estate standpoint. My main hacking system is a ~2013 Lenovo X230 with upgraded disks and RAM. It’s wonderful for the most part, but I could use a newer model 470 or something that remains portable, but allows for good screen resolution.

Turn off host AV. Be sure you are comfortable using your VM host of choice. Don’t use a work computer unless you have full administrative control over it and its protections. This includes turning off malware tools, but also being able to access things like Google Docs.

I’m saving the details for a separate post, but always be sure to sign up for and try out NetWars!

I liked this post by Tim MalcolmVetter: How to Pass a Red Team Interview. Some takeaways from it are definitions of what red team means and characteristics of a good red team candidate.

Trustworthiness – I tend to stick to the term integrity, but mostly because I think it has similar, but broader meaning.

Know the role/know yourself – Kind of goes without saying.

Healthy competition – I like this one, and it should go without saying, but still unfortunately needs said. The offensive teams exist to help test, inform, and improve the blue team. This often just means being able to help the blue team stop attacks that get through and missed weaknesses, but could mean much deeper interaction.

Creativity – This is one thing I really like about security. In terms of normal IT operations, sure you can be creative with solutions and dealing with people, but often you’re still playing within the bumpers of a bowling lane, i.e. technology capabilities and limitations (developers excepted). With security, you can creatively look between the lanes, over the lanes, under the lanes. You get to poke in the places not normally poked and do so in creative ways on a red team. Good security is as much an art as an objective, to me.

Operational IT experience – I like seeing this item here, though I’m sure entry level security aspirants hate seeing it. But it continues to be true, even more so for a red team member whose goal is to inform the blue team intelligently. In order to do so, you need some measure of understanding about what the blue team is doing, how they do it, why they do it, and why the business needs get weaved into that. It’s not just to know the gaps in the blue team defenses (because you’ve felt those gaps from being on the blue team). It also helps when being creative with attacks and when setting up testing labs.

Development skills – This tends to be one of the harder places to get started. 1) Learn some language or scripting tool, 2) find ways to get practice, and 3) find more ways to keep practiced. It’s those last two that can be difficult and often takes real effort unless you have some corporate project set in front of you that you can use that knowledge against. The author’s point here is excellent (though I would add in some Bash knowledge): “Red Team candidates should at least script in python or powershell. Candidates who can build web apps, implants in C/C++, and manage infrastructure will have a huge leg up.” I really like the inclusion of being able to build a web app, maybe not necessarily an “app” as much as a dynamic web page, but along with that comes valuable knowledge in web architecture, server configuration, coding, SQL, etc.

Unique skills – I also like seeing this item, though it’s a hard pill to swallow for so many. But that’s the point of true red teams; a team of people who fill various roles and specializations. A team of people who all kinda do the same thing isn’t very efficient. Now, that’s not to say every person should come into a new team and be the absolute expert on a particular thing or technology or technique, but they should be the expert of that thing on their team. Until you find a good team to call home for a long time, it’s good to be broad and/or have things one is better at, but definitely look for those gaps in any team you interview with and see if you can fit those openings. Chances are good candidates can adapt and utilize their experience, integrity, and creativity to fill most gaps in a red team.

Lastly, I wanted to just flat out quote the author, “…if you can phish and think like a covert systems administrator, then you can probably be successful on a red team.” But also know that, …”If you want to end up doing red team work, then do yourself a favor and get a variety of roles and exposure before moving into red team — it will still be there when you’re ready.”